* Problem when writing a custom target for PRE and POST routing.
@ 2006-09-25 21:35 Wayne Schroeder
2006-09-25 21:48 ` Carl-Daniel Hailfinger
2006-09-25 22:42 ` Wayne Schroeder
0 siblings, 2 replies; 4+ messages in thread
From: Wayne Schroeder @ 2006-09-25 21:35 UTC (permalink / raw)
To: netfilter-devel
I am working on a target module that will rewrite the source, dest, and
mark of a packet. A project I am doing cannot use the stateful nat for
a few reasons. I've accounted for correcting the ip, tcp, udp, and icmp
checksums already (via calling of the ip_nat_cheat_check from
ip_nat_core) and have verified that the sums are indeed correct when
packets leave after being modified in POSTROUTING. My problem seems to
be on the return path in PREROUTING.
When my target is called in prerouting and the checksums on the packet
are corrected -- it has the side effect of corrupting the destination ip
in the packet. The same code called in postrouting works flawlessly. I
have determined the destination address is getting corrupted by looking
at -j LOG after my target is called in the prerouting chain in the
mangle table. I have included the chunk of code from the TCPMSS target
that checks for cloned skbs -- so this is not an issue. If I comment
out my fixChecksums function, the destination address is NOT corrupted.
------------
static void fixChecksums(
struct sk_buff *skb,
u_int32_t oldData,
u_int32_t newData)
{
/* ip checksum */
skb->nh.iph->check = ip_nat_cheat_check(~oldData, newData,
skb->nh.iph->check);
switch (skb->nh.iph->protocol)
{
case IPPROTO_TCP:
if (! skb->h.th)
break; /* bad */
skb->h.th->check = ip_nat_cheat_check(~oldData, newData,
skb->h.th->check);
break;
case IPPROTO_UDP:
if (! skb->h.uh)
break; /* bad */
if (! skb->h.uh->check)
break;
if (skb->h.uh->check)
skb->h.uh->check = ip_nat_cheat_check(~oldData, newData,
skb->h.uh->check);
break;
case IPPROTO_ICMP:
if (! skb->h.icmph)
break; /* bad */
skb->h.icmph->checksum = ip_nat_cheat_check(~oldData, newData,
skb->h.icmph->checksum);
break;
}
}
-------
The function is called like so:
fixChecksums(*pskb, (*pskb)->nh.iph->saddr, info->src.s_addr);
(*pskb)->nh.iph->saddr = info->src.s_addr;
The above is changing the SOURCE ip of the packet, yet when done in
prerouting, it corrupts the dest ip if the fixChecksums is called.
It certianly seems as if there is a problem with the sk_buff I'm getting
in the context of prerouting. This is on a 2.4.32 kernel using iptables
1.2.11 userland. I am using these kernel and userland versions to
support existing deployed debian stable installs.
It's worth noting that only the first two bytes of the destination ip
seem to be getting corrupted, while the source ip directly in front of
it in the packet gets no corruption. I'm really confused here.
Wayne
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Problem when writing a custom target for PRE and POST routing.
2006-09-25 21:35 Problem when writing a custom target for PRE and POST routing Wayne Schroeder
@ 2006-09-25 21:48 ` Carl-Daniel Hailfinger
2006-09-25 21:51 ` Wayne Schroeder
2006-09-25 22:42 ` Wayne Schroeder
1 sibling, 1 reply; 4+ messages in thread
From: Carl-Daniel Hailfinger @ 2006-09-25 21:48 UTC (permalink / raw)
To: Wayne Schroeder; +Cc: netfilter-devel
Wayne Schroeder wrote:
> I am working on a target module that will rewrite the source, dest, and
> mark of a packet. A project I am doing cannot use the stateful nat for
> a few reasons.
Not directly answering your question, but IIRC in Linux 2.4 it was
possible to do stateless NAT with iproute2. That functionality has
been removed in Linux 2.6 because something broke.
http://lists.netfilter.org/pipermail/netfilter/2005-February/058950.html
http://linux-ip.net/html/nat-stateless.html
However, if you really want to perform stateless NAT with 2.6 kernels
and netfilter, the links above won't help you.
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem when writing a custom target for PRE and POST routing.
2006-09-25 21:35 Problem when writing a custom target for PRE and POST routing Wayne Schroeder
2006-09-25 21:48 ` Carl-Daniel Hailfinger
@ 2006-09-25 22:42 ` Wayne Schroeder
1 sibling, 0 replies; 4+ messages in thread
From: Wayne Schroeder @ 2006-09-25 22:42 UTC (permalink / raw)
To: Wayne Schroeder; +Cc: netfilter-devel
I consulted with ipt_TCPMSS.c and saw that it didn't use h.th to get the
tcp header and instead just looked after the nh.iph data for the tcp
header (calculated from ihl) and modified it there. I tried this, and
it worked perfectly. Granted now I have some sanity code to write, but
it works.
It seems that sk_buff's h member, while being set, simply isn't valid in
PREROUTING.
Wayne
Wayne Schroeder wrote:
> I am working on a target module that will rewrite the source, dest, and
> mark of a packet. A project I am doing cannot use the stateful nat for
> a few reasons. I've accounted for correcting the ip, tcp, udp, and icmp
> checksums already (via calling of the ip_nat_cheat_check from
> ip_nat_core) and have verified that the sums are indeed correct when
> packets leave after being modified in POSTROUTING. My problem seems to
> be on the return path in PREROUTING.
>
> When my target is called in prerouting and the checksums on the packet
> are corrected -- it has the side effect of corrupting the destination ip
> in the packet. The same code called in postrouting works flawlessly. I
> have determined the destination address is getting corrupted by looking
> at -j LOG after my target is called in the prerouting chain in the
> mangle table. I have included the chunk of code from the TCPMSS target
> that checks for cloned skbs -- so this is not an issue. If I comment
> out my fixChecksums function, the destination address is NOT corrupted.
>
> ------------
> static void fixChecksums(
> struct sk_buff *skb,
> u_int32_t oldData,
> u_int32_t newData)
> {
> /* ip checksum */
> skb->nh.iph->check = ip_nat_cheat_check(~oldData, newData,
> skb->nh.iph->check);
>
> switch (skb->nh.iph->protocol)
> {
> case IPPROTO_TCP:
>
> if (! skb->h.th)
> break; /* bad */
>
> skb->h.th->check = ip_nat_cheat_check(~oldData, newData,
> skb->h.th->check);
>
> break;
>
> case IPPROTO_UDP:
>
> if (! skb->h.uh)
> break; /* bad */
>
> if (! skb->h.uh->check)
> break;
>
> if (skb->h.uh->check)
> skb->h.uh->check = ip_nat_cheat_check(~oldData, newData,
> skb->h.uh->check);
>
> break;
>
> case IPPROTO_ICMP:
>
> if (! skb->h.icmph)
> break; /* bad */
>
> skb->h.icmph->checksum = ip_nat_cheat_check(~oldData, newData,
> skb->h.icmph->checksum);
>
> break;
> }
> }
>
> -------
>
>
> The function is called like so:
>
> fixChecksums(*pskb, (*pskb)->nh.iph->saddr, info->src.s_addr);
> (*pskb)->nh.iph->saddr = info->src.s_addr;
>
> The above is changing the SOURCE ip of the packet, yet when done in
> prerouting, it corrupts the dest ip if the fixChecksums is called.
>
> It certianly seems as if there is a problem with the sk_buff I'm getting
> in the context of prerouting. This is on a 2.4.32 kernel using iptables
> 1.2.11 userland. I am using these kernel and userland versions to
> support existing deployed debian stable installs.
>
> It's worth noting that only the first two bytes of the destination ip
> seem to be getting corrupted, while the source ip directly in front of
> it in the packet gets no corruption. I'm really confused here.
>
> Wayne
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-09-25 22:42 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-25 21:35 Problem when writing a custom target for PRE and POST routing Wayne Schroeder
2006-09-25 21:48 ` Carl-Daniel Hailfinger
2006-09-25 21:51 ` Wayne Schroeder
2006-09-25 22:42 ` Wayne Schroeder
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.